How to develop, implement, and operate a security program.
Ron Blume is vice president and energy practice director for DYONYX. Contact him at (214) 280-8925 or ron.blume@dyonyx.com.
In May 2, 2006, the North American Electric Reliability Council (NERC) board of trustees adopted the Critical Infrastructure Protection (CIP) Cyber Security Standard. The comprehensive standard—which addresses asset identification, security management controls, personnel and training, perimeter security, systems security, incident reporting and response planning, and recovery plans—is intended to “ensure that all entities responsible1 for the reliability of the bulk electric systems2 in North America identify and protect critical cyber assets3 that control or could impact the reliability of the bulk electric systems.”
On July 20, 2006, the Federal Energy Regulatory Commission (FERC) certified NERC as the Electric Reliability Organization (ERO) charged with the responsibility to develop and enforce bulk-power system4 reliability standards. The forthcoming mandatory enforcement provisions of the standard raise a number of burning questions for electric utilities:
• How much of an effort will it take in terms of cost and time to develop, implement, and sustain a compliant security program?
• How do the provisions of the standard relate to existing security programs?
• What additional processes, procedures, policies, organizational resources, and additional information support infrastructures (software or hardware) will be required?